PKI and HSM in a SME – 1/4 – Introduction

This is the part 1 out of 4 of PKI and HSM in a SME
In this part, we are going to introduce this tutorial and companies involved in this tutorial.
This will be based on what i’ve done at KeeeX, the SME i’m employed in.

About this tutorial

What are we talking about?

The goal of this tutorial is to build a relatively secure and cheap PKI for your business, organization or personal use, by :

Installing and basically securing a full PKI software, EJBCA, on a Debian Stretch VM,

Securely forwarding a HSM through the Internet from your office to the VM for EJBCA use through SSH

AMUSec Conference slideshow (in French)

Companies involved

KeeeX

What is KeeeX?

The KeeeX company was founded in December 2014 by Laurent Henocque, an engineer from Ecole Polytechnique (X82), lecturer researcher at Aix Marseille University, CNRS, with a focus on constraint programming, and semantic web expertise.

KeeeX was an answer to a number of questions:

how to warrant the authenticity of digital information independently of any web service, dedicated infrastructure?

how to preserve the oganisation and links between files across multiple storage locations?

how to find files instantly whichever their location on the internet or a disk?

What is KeeeX doing?

KeeeX injects trusted metadata into your files without changing the format and readability of your documents and data. They are timestamped in real time and their unique hash is anchored by default on the Bitcoin Blockchain to prove the existence of the file on a given date.

By sealing proofs of integrity and authenticity in your documents, you can be sure that the document (+250 file formats supported) is an unmodified original and that you are the author of it.KeeeX also adds tags to facilitate search and allows cryptographic linking between files (versioning, appendix …).

What are you doing there?

I’m a IT engineer with many roles: multi-tasking developer (mobile apps, some backends and services), sysadmin and Data Protection Officer (in accordance to GDPR).

To cryptographers/infosec comrades: Did you wrote “blockchain”?

We are using Bitcoin Blockchain for time proofs. Only for time proofs. And it works fine.
And anyway if you don’t believe, we’re using standard RFC3161 Timestamping (and this is one of the reasons we need a PKI).

Why do you need a PKI?

As a part-time sysadmin at KeeeX, it was clear to me that we needed to use a PKI for many reasons:

to have a Trusted Timestamping infrastructure with reliable X509 certificates and in accordance to RFC3161;

Nitrokey

What is Nitrokey?

Nitrokey is an USB key to enable highly secure encryption and signing of emails and data, as well as login to the Web, networks and computers. Their Nitrokey HSM product is very interesting: Nitrokey HSM secures cryptographic keys of your own PKI and your server.

What can I do with this?

Nitrokey HSM features:

Up to 31 ECC GF(p) 256-bit keys storage,

Up to 20 RSA 2048-bit keys storage,

Based on SmartCard-HSM,

Both hardware and software are open-source and free software. All development tools are available as open source and for free.

Your secret keys are stored in the tamper-resistant and PIN-protected device and are secured against computer viruses, loss and theft.

The device is PIN-protected and is secured against hardware attacks.

Backups protect against loss.

It’s 60€. Yes.

We’re gonna use it to store critical private keys with EJBCA. You can get a detailed fact sheet here.

Hi Jan, this means I need to make a new purchase, and retest my tutorial with the new Nitrokey HSM 2!
Glad to see RSA 4096 bits in the new version! 🙂
Also very happy to see Nitrokey team (if you indeed are) comming around my blog <3
Have a nice evening